China Wants Banking Backdoors

Chinese authorities reportedly want to see the source code for all software and hardware that gets sold to its banking sector, as well as see vendors submit to rigorous audits and build government-approved backdoors into their products. But Western technology firms have reacted with alarm at the proposed "cybersecurity review regime," and warned that it may soon be expanded to cover much more than just the banking sector.

The draft Chinese banking regulations were contained in a 22-page report that was finalized at the end of 2014, and which is expected to be officially unveiled in the coming months as part of a Beijing-led cybersecurity push, The New York Times reports.

The current version of the letter from Chinese authorities - which has reportedly been circulating in draft form in recent months, triggering escalating alarm from foreign technology firms - says 75 percent of the software and hardware products used by the Chinese financial services sector must be "secure and controllable" by 2019. The letter does not define what it means by those terms, but includes a chart specifying that for many types of computing and network equipment, vendors would have to share their source code with Chinese authorities.

A collection of 18 U.S. businesses groups, including the U.S. Chamber of Commerce and AmCham China, have criticized the Chinese proposals, saying they amount to protectionism. In a Jan. 27 letter written to the Central Leading Small Group for Cyberspace Affairs - led by Chinese President Xi Jinping - the groups have demanded "urgent discussion and dialogue" on the matter.

"An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global Internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China's economic growth and development and restricting customer choice," the letter reads, according to the BBC. The letter adds that the cybersecurity proposals would "unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain."

China's financial services sector is set to spend $465 billion on information and communications technology this year, which is an increase of 11 percent from 2014, and second only to U.S. financial service sector spending on IT, according to market researcher IDC.

New 'Cybersecurity' Requirements

The draft Chinese banking sector proposal would also require vendors to create research and development centers in China, obtain special permits for any workers that would service the equipment and give Chinese authorities the ability to monitor software and hardware via special "ports," the Times reports.

A draft Chinese cybersecurity bill, meanwhile, would go even further and require businesses to store all Chinese users' data solely on servers in China, institute anti-terrorist surveillance, as well as share all encryption keys with authorities, the report adds.

The moves are part of a nationwide, government-promulgated push to shift to homegrown technology - over foreign alternatives - by 2020. Such moves have been accelerated after recent test projects in the northeastern city of Siping, in which foreign technology was replaced with domestic alternatives, were deemed to be a success, according to a December 2014 Bloomberg News report. Those tests reportedly included replacing machines running the Windows operating system with the Chinese-built OS NeoKylin, as well as eliminating foreign-built servers in favor of alternatives manufactured by China's Inspur Group.

Anti-Trust Pressure

The shift to using homegrown products has been accompanied by anti-trust moves, following the passage of a new anti-trust regulation in 2008. Since then, Chinese regulators have launched anti-trust investigations into more than 30 foreign firms, including Microsoft and Qualcomm. China's stance has been criticized by U.S. Federal Trade Commission Edith Ramirez, who said the efforts "suggest an enforcement policy focused on reducing royalty payments for local implementers as a matter of industrial policy, rather than protecting competition and long-run consumer welfare."

As part of the anti-trust investigations, Chinese authorities have also raided the China offices of Microsoft and its business partner Accenture, prohibited government procurement of iPads, and banned Windows 8 from being used on government computers. State-run news agency Xinhua has reported that the Windows 8 ban represented authorities' response to Microsoft ceasing to issue security updates for Windows XP as of May 2014. At that time, 70 percent of Chinese PCs were running Windows XP.

Scant Moral High Ground

Market watchers expect President Barack Obama to protest the move by Chinese authorities because of the intellectual property concerns facing Western firms that divulge their source code to Chinese authorities, who might then funnel it to their Chinese competitors. The U.S. has already responded to public revelations over Chinese hack attacks by charging five Chinese army officers for hacking American corporate computers to steal intellectual property (see The Real Aim of U.S. Indictment of Chinese).

But the Chinese cybersecurity moves follow Edward Snowden's leaks of National Security Agency information, which show that the NSA team known as TAO - for Tailored Access Operations - has attempted to find ways of exploiting all major IT equipment, from vendors such as Cisco and Dell to Chinese IT giant Huawei.

As a result, many Western governments - beyond the question of intellectual property theft - arguably occupy scant moral high ground in encryption and surveillance-related matters. Indeed, President Obama has recently said that authorities should be able to crack encrypted communications during the course of law enforcement investigations, while U.K. Prime Minister David Cameron has proposed weaking cryptographic systems in the name of counterterrorism.

China's push for more adoption of domestically sourced technology is likely also a response to U.S. authorities discouraging American businesses from acquiring networking equipment from Huawei or ZTE over fears that the Chinese vendors could have built back doors into their products. In response, Huawei proposed that it would launch independent cybersecurity testing labs internationally to prove that its products were secure, which has included opening a center of excellence in London.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.